Executive Summary
A second critical vulnerability (CVE-2024-27892) has been disclosed in Arista EOS affecting platforms running OpenConfig. Similar to CVE-2024-27890, this flaw allows gNMI Set requests that should be rejected to be processed by the switch, resulting in unauthorized configuration being applied. The CVSS score of 9.6 reflects the severe impact on network infrastructure integrity.
Organizations using Arista EOS with OpenConfig for network automation and telemetry should immediately review both CVE-2024-27890 and CVE-2024-27892 and apply patches.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-27892 |
| CVSS Score | 9.6 (Critical) |
| Vendor | Arista Networks |
| Product | EOS (Extensible Operating System) |
| Component | OpenConfig / gNMI interface |
| Type | Authorization Bypass |
| Attack Vector | Network |
| Condition | OpenConfig must be configured |
Technical Details
CVE-2024-27892 represents a distinct bypass condition in Arista EOS's gNMI authorization layer. When an attacker sends a crafted gNMI Set request targeting specific configuration paths, the EOS authorization check fails to reject the request as expected, and the switch processes and applies the configuration change.
The vulnerability is closely related to CVE-2024-27890 but affects a different code path or configuration scenario. Both should be treated as separate issues requiring individual remediation confirmation.
Attack scenario:
1. Attacker scans for Arista EOS switches with OpenConfig/gNMI exposed
2. gNMI port (TCP 6030) identified on reachable switch
3. Crafted gNMI Set request sent targeting sensitive config path
4. Authorization check bypassed — Set request executes
5. Unexpected configuration applied to network device
6. Attacker achieves persistent network misconfigurationWhy This Matters
Enterprise networks increasingly use OpenConfig and gNMI for network-as-code automation pipelines. Compromising gNMI authorization means an attacker can silently manipulate the network fabric in ways that may not be immediately visible in traditional monitoring — making detection difficult and dwell time long.
Affected Versions
Consult the Arista Security Advisory for CVE-2024-27892 for the comprehensive list of affected EOS versions and recommended upgrade targets.
Impact
| Area | Impact |
|---|---|
| Configuration Integrity | Unauthorized changes applied without detection |
| Network Routing | Route manipulation, traffic redirection |
| Access Controls | ACL and policy override |
| Automation Pipelines | Network-as-code pipelines may trust compromised state |
| Confidentiality | Traffic interception via route hijacking |
| Availability | Misconfiguration leading to network outages |
Remediation
Step 1: Patch to Fixed EOS Version
Apply the patched EOS version as specified in Arista's advisory for CVE-2024-27892. This should be applied alongside the patch for CVE-2024-27890.
Step 2: Harden gNMI Access Controls
# Restrict gNMI to management hosts only
ip access-list MGMT-ONLY
permit tcp 10.0.0.0/8 any eq 6030
deny tcp any any eq 6030
!
management api gnmi
transport grpc default
ip access-group MGMT-ONLY in
!Step 3: Enable gNMI Audit Logging
Ensure all gNMI operations are logged for post-incident review:
# On Arista EOS — enable management API logging
management api gnmi
audit log enable
!Step 4: Configuration Drift Detection
Deploy baseline comparison tooling to catch unauthorized changes:
# Use CVP (CloudVision Portal) or custom scripts to detect config drift
# Compare running config against version-controlled golden baseline
# Example with napalm (Python)
from napalm import get_network_driver
driver = get_network_driver("eos")
device = driver("switch.example.com", "admin", "password")
device.open()
diffs = device.compare_config()
if diffs:
print("Configuration drift detected!")
print(diffs)Relationship to CVE-2024-27890
| Attribute | CVE-2024-27890 | CVE-2024-27892 |
|---|---|---|
| CVSS | 9.6 | 9.6 |
| Type | gNMI Auth Bypass | gNMI Auth Bypass |
| Code Path | Primary bypass | Secondary bypass |
| OpenConfig Required | Yes | Yes |
| Remediation | Same patch cycle | Same patch cycle |
Both vulnerabilities require the same remediation: upgrade to the patched EOS version and harden gNMI access controls.
References
- NIST NVD — CVE-2024-27892
- Arista Security Advisory for CVE-2024-27892 (consult Arista support portal)